Hi all,
I posted this recently on the Red Hat PPP list, but never saw any replies
(actually, I never saw my post show up, but that might be normal). Anyway,
I thought I'd post it here to see if anyone has any suggestions.
advTHANKSance... :-)
-Jon
10/13/99
---------------------------------------------------------------------------
Greetings,
Does anyone have any clear documentation on how to setup ipchains for a
"traditional" firewall? By "traditional" I mean a Linux (RH) box that sits
between an Intranet and an ISP, such that the machines on the Intranet
access the Internet via a proxy server on the Linux box. In other words,
use a proxy server; don't do masquerading.
Most of the docs I see talk about how to setup ipchains using masquerading,
but I do not want to do masquerading (that's a topic for another thread :-)
I've read through so many docs that I'm now second guessing myself as to
how to setup ipchains... :-/
To date, I've setup a Linux (Red Hat 6.0) box for our church to act as a
firewall (using 'squid' as the proxy server). There are some Win-95
machines on the Intranet; I've installed Netscape on these and have
configured them to use the proxy server on the gateway. Once I had
everything working, I turned to ipchains. I've attached below a script I
wrote that will generate an ipchains.rule file which gets reloaded on boot
up (the reload is handled in rc.local).
So, machine-wise, this is what I'm dealing with :
(1) The Linux gateway machine that sits between the Intranet and
our ISP. I'm the only person that has access to this machine,
so I want full abilities to reach anywhere on the Internet.
Also, our ISP does mail queuing for us; when we connect the ISP
tries to send us any email that has arrived for our
domain while we weren't connected.
(2) Win-95 machines on our Intranet. Only want people to be able
to surf the web and download files via FTP using Netscape
(configured to use the proxy server on the gateway machine).
(3) The ISP and other machines on the Internet. These are evil
machines which should not be allowed access to anything on
our Intranet unless absolutely necessary. :->
Given that, this is what I'm trying to accomplish :
- Allow: Web access from gateway machine to Internet.
- Allow: Web access from Win-95 machines to gateway.
- Allow: Web access from Win-95 machines to Internet via proxy on
gateway.
- Deny: Web access from any Internet machine to gateway machine.
- Deny: Web access from any Internet machine to Win-95 machines.
- Allow: FTP from gateway machine to Internet.
- Allow: FTP from Win-95 machines to gateway.
- Allow: FTP from Win-95 machines to Internet via proxy on gateway.
- Deny: FTP from any Internet machine to gateway machine.
- Deny: FTP from any Internet machine to Win-95 machines.
- Allow: News from gateway machine to Internet.
- Allow: News from Win-95 machines to gateway.
- Allow: News from Win-95 machines to Internet via proxy on gateway.
- Deny: News from any Internet machine to gateway machine.
- Deny: News from any Internet machine to Win-95 machines.
- Allow: Telnet from gateway machine to Internet.
- Allow: Telnet from Win-95 machines to gateway.
- Deny: Telnet from Win-95 machines to Internet.
- Deny: Telnet from any Internet machine to gateway machine.
- Deny: Telnet from any Internet machine to Win-95 machines.
- Allow: Ping from gateway machine to Internet.
- Allow: Ping from Win-95 machines to gateway.
- Deny: Ping from Win-95 machines to Internet.
- Deny: Ping from any Internet machine to gateway machine.
- Deny: Ping from any Internet machine to Win-95 machines.
- Allow: DNS lookup from gateway machine to Internet.
- Allow: DNS lookup from Win-95 machines to gateway.
- Deny: DNS lookup from Win-95 machines to Internet.
- Deny: DNS lookup from any Internet machine to gateway machine.
- Deny: DNS lookup from any Internet machine to Win-95 machines.
- Let our ISP's mail server connect to us so it can deliver
mail to us (to our sendmail) when we connect to the ISP.
- Filter out connections to certain sites (like doubleclick.net)
so they don't put cookies on our Win-95 machines or gateway
machine when we're surfing the web.
- Be able to connect to clock.llnl.gov so we can set the clock
on our Linux box when we dialup our ISP.
- Let through anything else that needs to be let through to make
the system work "normally".
I setup the ipchains on a trial-and-error approach. I turned off
everything and logged everything. Then, for example, I did a ping, and I
looked at the messages file to see what the Internet machines tried to
access locally. I then created a rule to 'ALLOW' those connections. This
brute force approach worked for most things, but I couldn't see the pattern
in a few things.
Thus, the problem is that the current ipchain rules that I've setup limit a
few too many things (and maybe introduce some holes). For example, FTP from
the Win-95 Netscape boxes doesn't work because the target Internet machine
tries to connect back to the proxy server using different ports (above 1024,
I believe). I didn't see the "pattern" in this, so I'm unsure of what to
allow.
FYI, I haven't setup news yet -- that'll come at some point in the future,
but I thought I'd mention it as a "goal". :-)
Oh, and pppd is setup do dial on demand and is also started from rc.local,
thus it is (and always will be) ppp0.
I'm sorry I don't have any logs handy (they are at home), but I'd be happy
to post snippets of them if that would help.
BTW, once I get this worked out, I'd be happy to document it and put it up
on a web site for public consumption.
advTHANKSance.
-Jon
[EMAIL PROTECTED]
10/10/99
==========================================================================
#! /bin/sh
#------------------------------------------------------------------------
#
# Simple script to create packet filtering chains via 'ipchains'.
#
# Jon Scheer
#
#-------------------------------------------------------------------------
#
# Make sure we can find /sbin/ipchains :
#
PATH=$PATH:/sbin
#
# Setup some constants :
#
THIS_GATEWAY=***.***.***.***
ISP_NAMESERVER1=***.***.***.***
ISP_NAMESERVER2=***.***.***.***
ISP_MACHINE1=***.***.***.***
ISP_MACHINE2=***.***.***.***
MAIL_HOST=***.***.***.***
#
# Flush and delete any existing chains :
#
echo "[ Flushing chains... ]"
ipchains -F
ipchains -X
ipchains -F
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT
#
# Create special chains for our connection to the ISP (ppp0), and
# link them to our ppp0 input/output chain, accordingly :
#
ipchains -N ppp0-in
ipchains -N ppp0-out
ipchains -A input -i ppp0 -j ppp0-in
ipchains -A output -i ppp0 -j ppp0-out
#
# Create a chain for packets which are one of the error ICMPs
# get ACCEPTed, otherwise control will pass back to the calling
# chain :
#
ipchains -N icmp-acc
ipchains -A icmp-acc -p ICMP --icmp-type destination-unreachable -j ACCEPT
ipchains -A icmp-acc -p ICMP --icmp-type source-quench -j ACCEPT
ipchains -A icmp-acc -p ICMP --icmp-type time-exceeded -j ACCEPT
ipchains -A icmp-acc -p ICMP --icmp-type parameter-problem -j ACCEPT
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# Only allow particular packets from the ISP (ppp0-in) and reject
# everything else :
#
# ( For our destination use $THIS_GATEWAY )
#
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# - Don't let any packets in from the ISP that are from 192.168.1.x;
# we should only see those types of packets on our Intranet. If
# we see them come in across the ISP ppp link, then someone is
# trying to spoof the packets to gain entry!
#
ipchains -A ppp0-in -s 192.168.1.0/24 -l -j DENY
#
# - Deny anything that comes in from our ISP that isn't destined
# for our gateway machine (that's me!) :
#
ipchains -A ppp0-in -d ! $THIS_GATEWAY -l -j DENY
#
# - Allow Intranet originated echo-replies (acks from pings).
#
ipchains -A ppp0-in -p ICMP --icmp-type echo-reply -d $THIS_GATEWAY -j
ACCEPT
#
# - Filter out the cookies from various Intranet sites :
#
# 199.95.207.0/24 = ad.doubleclick.net
# 199.95.208.0/24 = ad.doubleclick.net
# 204.253.104.0/24 = ad.doubleclick.net
#
#
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A ppp0-in -s 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
ipchains -A ppp0-in -s 199.95.208.0/24 -j REJECT
ipchains -A output -d 204.253.104.0/24 -j REJECT
ipchains -A ppp0-in -s 204.253.104.0/24 -j REJECT
#
# - Allow Intranet originated connections from SMTP :
#
ipchains -A ppp0-in -p TCP -s 0.0.0.0/0 smtp -j ACCEPT
#
# - Our ISP does mail queuing for us, so we need to accept
# connections from them ($MAIL_HOST) :
#
ipchains -A ppp0-in -s $MAIL_HOST -d $THIS_GATEWAY -l -j ACCEPT
#
# - Allow Intranet originated connections from name server :
#
ipchains -A ppp0-in -p UDP -s $ISP_NAMESERVER1 domain -d $THIS_GATEWAY -j
ACCEPT
ipchains -A ppp0-in -p UDP -s $ISP_NAMESERVER2 domain -d $THIS_GATEWAY -j
ACCEPT
ipchains -A ppp0-in -p UDP -s 0.0.0.0/0 domain -d $THIS_GATEWAY -j ACCEPT
#
# - Allow Intranet originated connections to auth :
#
ipchains -A ppp0-in -p TCP -d $THIS_GATEWAY auth -j ACCEPT
#
# - Allow FTP connections from our proxy server to the Internet
# (ISP -> me responses) :
#
# *** Note: currently ftp's from machines on our network
# (running Netscape using the the proxy) on our gateway
# do not work! Must get this fixed...
#
ipchains -A ppp0-in -p TCP -s 0.0.0.0/0 ftp-data -d $THIS_GATEWAY -j ACCEPT
ipchains -A ppp0-in -p TCP -s 0.0.0.0/0 ftp -d $THIS_GATEWAY -j ACCEPT
ipchains -A ppp0-in -p UDP -s 0.0.0.0/0 fsp -d $THIS_GATEWAY -j ACCEPT
#
# - Allow telnet connections from our proxy server to the Internet
# (ISP -> me responses) :
#
ipchains -A ppp0-in -p TCP -s 0.0.0.0/0 23 -d $THIS_GATEWAY -j ACCEPT
#
# - Allow WWW connections from our proxy server to the Internet :
#
ipchains -A ppp0-in -p TCP -s 0.0.0.0/0 www -d $THIS_GATEWAY -j ACCEPT
ipchains -A ppp0-in -p UDP -s 0.0.0.0/0 www -d $THIS_GATEWAY -j ACCEPT
ipchains -A ppp0-in -p TCP -s 0.0.0.0/0 https -d $THIS_GATEWAY -j ACCEPT
ipchains -A ppp0-in -p UDP -s 0.0.0.0/0 https -d $THIS_GATEWAY -j ACCEPT
#
# - Allow responses from clock.llnl.gov (for fixtime) :
#
ipchains -A ppp0-in -p TCP -s clock.llnl.gov 37 -d $THIS_GATEWAY -j ACCEPT
#
# - Our ISP likes to make a connection from some of their machines,
# so we to accept those connections :
#
ipchains -A ppp0-in -s $ISP_MACHINE1 -d $THIS_GATEWAY -l -j ACCEPT
ipchains -A ppp0-in -s $ISP_MACHINE2 -d $THIS_GATEWAY -l -j ACCEPT
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
# - Made it here, so try running it through ICMP error list :
#
ipchains -A ppp0-in -j icmp-acc
#
# - Reject anything else :
#
ipchains -A ppp0-in -l -j REJECT
#
# Build the ippchains.rules file :
#
echo "[ Building ./ipchains.rules ]"
/sbin/ipchains-save > ./ipchains.rules
status=$?
#
# Exit gracefully :
#
exit $status
#------------------------------------------------------------------------
#------------------------------------------------------------------------
Received: from mail01-baxter.baxter.com. ([204.48.31.49]) by
ccmailgw.mcgawpark.baxter.com with SMTP
(IMA Internet Exchange 3.11) id 006208C3; Sun, 10 Oct 1999 14:38:30 -0500
Received: from mail03-ord.pilot.net (localhost [127.0.0.1]) by
mail01-baxter.baxter.com. with ESMTP id OAA28782 for
<[EMAIL PROTECTED]>; Sun, 10 Oct 1999 14:38:30
-0500 (CDT)
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by
mail03-ord.pilot.net with SMTP id OAA26432 for
<[EMAIL PROTECTED]>; Sun, 10 Oct 1999 14:38:29
-0500 (CDT)
Received: (qmail 1628 invoked by uid 501); 10 Oct 1999 19:38:22 -0000
Resent-Date: 10 Oct 1999 19:38:22 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From [EMAIL PROTECTED] Sun Oct 10 15:38:22 1999
Mime-Version: 1.0
Date: Sun, 10 Oct 1999 14:36:41 -0500
Message-ID: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED] (Jon Scheer)
Subject: Ipchains + traditional firewall.
To: Red Hat PPP List <[EMAIL PROTECTED]>
Cc: Jon Scheer <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
Resent-Message-ID: <"OtZt_2.0.1P.kiE0u"@lists.redhat.com>
Resent-From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/125
X-Loop: [EMAIL PROTECTED]
Precedence: list
Resent-Sender: [EMAIL PROTECTED]
X-URL: http://www.redhat.com
